Thus spake "Iljitsch van Beijnum" <iljitsch(_at_)muada(_dot_)com>
Actually in IPv6 you are well-protected against random scanning withough
the need for any device in the middle: a /64 subnet is so large, that
scanning it is completely infeasible.
Now of course someone who knows your address doesn't have to scan, so this
protection isn't complete. But for TCP it's entirely trivial to only allow
sessions to be set up in one direction. Full stateful firewalling is of
course also possible. However, both these options bring back some of the
downsides of NAT: in order to make incoming sessions possible, there must
be configuration of some sort.
IMHO a firewall function, probably stateful, is necessary in nearly all
cases. However, this has gotten so mixed up with NAT that many people (even
at vendors) don't realize they're different things.
With v6 we have the ability to fix this; through some magic function, users
should be able to get a PA (at a minimum) subnet behind their local
router/modem/whatever and have a decent interface to configure inbound
filters, similar to how they can configure evil NAT port-forwarding today.
A default filter that rejects packets for services that are generally
intended for local use only would probably be good enough for a
residential IPv6 router. Other services are either not enabled and/or
firewalled in the host anyway, or the user actually wants them to work.
(It would be incredible helpful to have all these local-use services in a
fixed range of port numbers for easy filtering...)
Default filters are a pain, because inevitably they end up blocking
something that's useless today but a critical need tomorrow... For
instance, my @#%#^& Linksys not only doesn't understand native IPv6 (hello,
wake up Cisco!) but it even blocks IP-in-IP packets so I can't use an IPv6
tunnel.
At a minimum, vendors should document _everything_ the default filter does
and allow the user to disable it if necessary. You don't need to load the
gun for them, but if someone wants to shoot themselves in the foot, it's not
your duty to prevent them, because they might have a perfectly good reason
to.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf